Cyborg

Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.4.121

We have two ports: 22 which is running ssh and 80 which is running http

Detailed Nmap Scan :

Command Breakdown:

  • (-sV): Service version

  • (-sC): Default nmap scripts

  • (-p): Specifying ports 22,80

  • (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.4.121

Enumeration

Lets visit the webserver

Its a default Apache2 page, lets run gobuster to find hidden directories and files.

There is an admin directory, lets go check it out

Its a website with information about a person, lets explore the website and see what we can find. When you go to the Admins tab, you find this information

Looks like there is a backup called music_archive. We also get another hit on gobuster

/etc/ directory , this might be config files that Alex was talking about, lets go visit it.

Clicking on the folder we see some interesting files

We have a squid.conf file and a passwd file. Lets download these to our machine.

wget http://10.10.4.121/etc/squid/<file-name>

Lets check these files out

Looks like a hash, lets crack this using john the ripper

We found a password: squidward. Lets look at the other file

Doesn't look like anything important. One thing we did not find is the achieve file Alex was talking about, so I went to go look for it and found it here.

Lets download this.

The archive is a tar file, lets click ok after selecting save file. Now lets check its contents.

tar -xvf archive.tar

We found these files, I went through many of them and many did not make sense except this one.

Looking at this information I went to google and searched on this topic and found this page, which I saw that there were commands we could use, so I went to look for the file with which we can use borg commands, which one of them was GitHub.

Next I went here as it said that it had recent releases.

I downloaded the Linux file.

Lets list the files , I tried using it when I got this message

borg list home/field/dev/final_archive

And so I downloaded the tool, now lets list the files

borg list home/field/dev/final_archive

Earlier in our enumeration we found a password: squidward, lets use that.

borg list home/field/dev/final_archive

And it worked, we have an archive file called music_archive , now lets extract this file too.

borg extract home/field/dev/final_archive/::music_archive

Its asks for a password, and I just used the before and it worked.

We extracted a folder called alex. Navigating through it, I found this file

It has nothing interesting, I also found this file

It has a username and password. Lets try to login with these credentials through ssh.

ssh alex@10.10.4.121

We are logged in. We can also cat the user.txt file

Privilege Escalation

Lets run sudo -l to see what we can run as root.

Looks like we can run this file, lets see what it does.

Looking through it, the getopts is something that is interesting, its a built-in function to parse arguments and options to a bash script according to google. This is the article that after googling. So for a summary, passing the bash script -c arguments , getopts will take the command and then parse it to the bash scripts and then executes it. Lets run a bash command.

sudo /etc/mp3backups/backup.sh -c bash

We are now root, but none of the commands worked.

What we have to do is to add a SUID bit on bash then exiting the shell and using the bash binary to get root on the box and execute commands.

chmod 4577 /bin/bash
exit
bash -p
cd /root
cat root.txt

Using these commands we can read the root flag.

Last updated